Exploiting Apache Struts2 CVE-2017-5638 | Lucideus Research

A few days back a Chinese researcher, Nike Zheng reported a Remote Code Execution (RCE) vulnerability in Apache Struts2. The vulnerability exploits a bug in Jakarta's Multipart parser used by Apache Struts2 to achieve RCE by sending a specially crafted Content-Type header in the request.

Equifax, a consumer credit reporting agency, that collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide, confirmed that their high profile, high impact data breach was due to an exploit of the same vulnerability i.e Apache Struts CVE-2017-5638. Apache Struts is a mainstream web framework. It is widely used by Fortune 100 companies in education, government, financial services, retail and media. This is a perfect example for a vulnerability in third party component. Thus, any vulnerability in such framework yields a huge impact. This blog explains the detailed analysis of the vulnerability, exploitation and how it can be virtually patched.

Vulnerability Type:

CVSS v3 Score

The Vulnerability: Content-Type Header Injection

According to Apache, the vulnerability exists in the Jakarta Multipart parser. An Exception is thrown when an invalid value is placed in the Content-Type header. This exception is used to display the error to the user. An attacker may exploit this vulnerability to escape the data scope into the execution scope through the Content-Type header. The payload is illustrated in the Figure 1.

Figure 1

Root Cause Analysis

The root cause of the vulnerability is that Apache Struts2 by default uses Jakarta’s Multipart parser when the content type header is set to multipart/form-data. A crafted content type header with an OGNL expression ( Object Graph Notation Language) passed into Jakarta’s Multipart parser will trigger an exception which is then passed into an error message building function along with the OGNL payload. That function evaluates the OGNL expression resulting in code execution.

The payload contains (#_='multipart/form-data') which will satisfy the condition and the OGNL payload is passed into Jakarta’s Multipart parser. The parser tries to parse the payload using parse method in org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest class.

This will result in an exception and the buildErrorMessage method present in org.apache.struts2.dispatcher.JakartaMultiPartRequest is called.

The execution will further go through couple of methods, findText method calls getDefaultMessage which calls TextParseUtil.translateVariables method that calls evaluate method which will evaluate the OGNL expression in the payload.

If you consider this OGNL syntax %{ OGNL code }, anything inside %{ } is considered as an OGNL expression and will be evaluated by the OGNL parser. ${ } is also a valid expression.

In our case the following OGNL expression contains Java code that uses getRuntime().exec to execute shell commands. This will be evaluated by the OGNL parser and results in code execution.

Exploitation

Let’s quickly set up a vulnerable Apache Struts2 web application.

Prerequisites

The demo Showcase application is available as accessible from below mentioned link

Outputs of successful remote code execution are as described in following images

python str.py http://<ip>:8080/str/ "ls"

python str.py http://<ip>:8080/str/ "ls ./database"

python str.py http://<ip>:8080/str/ "cat ./database/users.sql"

Note: Sample unencrypted sql file containing credentials. Chances of this are rare in production server! It is here for Demo purpose.

Patching

It shall be interesting to see if the attack trend on the platform continues as this is not the first RCE vulnerability in Apache Struts. In the meantime, organizations using Apache Struts2 should take immediate steps to patch the vulnerability.

Official Patch

The official solution provided by Apache suggests either upgrading to a patched version or switching to a different multipart parse implementation. This is an expensive option for many companies, as an upgrade is often a long process that involves backups, testing, and sometimes even a partial downtime.

Upgrading parser

An alternative mitigation to upgrading Struts is to switch to using Jason Pells multipart parser. This plugin replaces the vulnerable Struts component and can be installed by copying the plugin jar into your application's /WEB-INF/lib directory. The library will need to be included in your application as well.

Web Application Firewall

Instead of leaving a web application exposed to attack after discovering a vulnerability while code is modified, virtual patching actively protects web apps from attacks, reducing the window of exposure and decreasing the cost of emergency fix cycles until you’re able to patch them.

As an example of such virtual patch is a Web Application Firewall (WAF) that provides virtual patching:

Doesn’t interfere with the normal application workflow

Keeps site(s) protected and attackers out of reach

Allows site owners to control the patching process timeline

WAF such as mod_security could mitigate this attack if the rules are set to whitelist valid content types or blacklist OGNL expressions.

In addition to virtual patching, zero-day detection mechanisms and advanced threat detection modules protect sites by detecting and blocking new strains of attack prior to an attack release without any modification to systems.

Facebook

Follow by Email

Categories

Lucideus is an Enterprise Cyber Security platforms company incubated from IIT Bombay and backed by Cisco's former Chairman and CEO John Chambers. It protects multiple Fortune 500 companies and governments around the world. The name Lucideus is derived from Lucifer (Satan) and Deus (God) as they are in the business of hacking for good.